Movatterモバイル変換

[0]ホーム
URL:

US7062566B2 - System and method for using virtual local area network tags with a virtual private network - Google Patents

System and method for using virtual local area network tags with a virtual private networkDownload PDF

Info

Publication number
US7062566B2
US7062566B2US10/279,364US27936402AUS7062566B2US 7062566 B2US7062566 B2US 7062566B2US 27936402 AUS27936402 AUS 27936402AUS 7062566 B2US7062566 B2US 7062566B2
Authority
US
United States
Prior art keywords
security
packet
internet protocol
security gateway
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
US10/279,364
Other versions
US20040083295A1 (en
Inventor
Satish Amara
Chandra Warrier
Ching Kung
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Valtrus Innovations Ltd
Original Assignee
3Com Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 3Com CorpfiledCritical3Com Corp
Priority to US10/279,364priorityCriticalpatent/US7062566B2/en
Assigned to 3COM CORPORATIONreassignment3COM CORPORATIONASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: AMARA, SATISH, KUNG, CHING, WARRIER, CHANDRA
Priority to AU2003287191Aprioritypatent/AU2003287191A1/en
Priority to PCT/US2003/033643prioritypatent/WO2004038559A2/en
Priority to TW092129674Aprioritypatent/TW200420071A/en
Publication of US20040083295A1publicationCriticalpatent/US20040083295A1/en
Application grantedgrantedCritical
Publication of US7062566B2publicationCriticalpatent/US7062566B2/en
Assigned to HEWLETT-PACKARD COMPANYreassignmentHEWLETT-PACKARD COMPANYMERGER (SEE DOCUMENT FOR DETAILS).Assignors: 3COM CORPORATION
Assigned to HEWLETT-PACKARD COMPANYreassignmentHEWLETT-PACKARD COMPANYCORRECTIVE ASSIGNMENT TO CORRECT THE SEE ATTACHEDAssignors: 3COM CORPORATION
Assigned to HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.reassignmentHEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: HEWLETT-PACKARD COMPANY
Assigned to HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.reassignmentHEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.CORRECTIVE ASSIGNMENT PREVIUOSLY RECORDED ON REEL 027329 FRAME 0001 AND 0044.Assignors: HEWLETT-PACKARD COMPANY
Assigned to HEWLETT PACKARD ENTERPRISE DEVELOPMENT LPreassignmentHEWLETT PACKARD ENTERPRISE DEVELOPMENT LPASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.
Assigned to VALTRUS INNOVATIONS LIMITEDreassignmentVALTRUS INNOVATIONS LIMITEDASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS).Assignors: HEWLETT PACKARD ENTERPRISE COMPANY, HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP
Anticipated expirationlegal-statusCritical
Expired - Lifetimelegal-statusCriticalCurrent

Links

Images

Classifications

Definitions

Landscapes

Abstract

An exemplary system and method for using a network access system, such as a virtual private network (VPN), are provided. A user device may have a user session with a home agent. Additionally, an initiating security gateway may be in communication with the home agent, and a terminating security gateway may be in communication with the initiating security gateway via a tunnel (e.g., Internet Protocol in Internet Protocol (IP-in-IP) or Internet Protocol security (IPsec) tunnel). Further, a virtual local area network (VLAN) tag associated with the user session may map to a selector operable in a security policy database. The selector may be used to find a security policy defining an IPsec procedure, and the security policy may be applied to the tunnel. Also, the initiating security gateway may also include a Quality of Service (QoS) module that determines QoS markings for a packet traveling along the tunnel.

Description

FIELD OF INVENTION
This invention relates to network access systems. More specifically, it relates to a system and method for accessing a virtual private network utilizing virtual local area network tags.
BACKGROUND OF INVENTION
Network access systems are becoming increasingly important in modern society. People from around the world may now utilize networks such as the Internet to remotely exchange data, information, and ideas. Further, network access systems may be important to companies and businesses worldwide. Many corporations have corporate local area networks (LANs) that employees and clients may remotely access. Additionally, network access systems are often utilized in electronic commerce, such as during Internet transactions, credit card transactions, and Automated Teller Machine (ATM) withdrawals.
Virtual private networks (VPNs) are emerging as an important type of network access system. VPNs may enable users to remotely connect to private LANs via public networks (e.g., the Internet). Before VPNs, large-scale private wide area networks (WANs) were often utilized for remote connections to a LAN, though such networks were often costly and required a complicated network topology. VPNs may provide the advantage of extending the network connectivity of LANs beyond their physical limits while reducing cost and simplifying network topology.
Since a VPN may use a public connection to transmit private data, a mechanism for securing data transmitted across such a network may be beneficial. In recent years, the Internet Protocol Security suite (IPsec) has emerged as an important standard for securing data transferred across a VPN. IPsec can utilize a number of encryption technologies (e.g., Diffie-Helman key exchange, public key cryptography) and authentication technologies (e.g., digital certificates) for securing packet-switched data. An IPsec header may contain an authentication header that helps ensure the integrity of transmitted data, and an encapsulated security payload (ESP) for securing transmitted data.
Furthermore, VPNs may utilize Quality of Service (QoS) to enable network service providers to offer differentiated levels of service to different users. For example, network service providers may use QoS to set a maximum latency, minimum bandwidth, and other such parameters for data transmitted across a VPN for a particular user. Furthermore, network service providers may charge a rate proportional to the QoS level (e.g., a lower rate for a basic service, and a higher rate for a premium service). A Type of Service (ToS) byte within a header of an IP packet may be utilized for specifying QoS. Furthermore, a variety of known protocols (e.g., Resource Reservation Setup Protocol (RSVP)) may be used to implement QoS in VPNs.
Despite these advantages, however, current VPNs that utilize IPsec and/or QoS may face a number of drawbacks. First, prior art systems, such as those utilizing RSVP, are typically not scalable. Furthermore, prior art VPNs using IPsec and QoS may not effectively load balance transmitted data, causing widespread delays and inefficient network usage. Additionally, prior art VPNs may not enable users to customize IPsec policy for different user domains and/or user sessions. Thus, all users may be offered the same level of security regardless of their individual security needs.
Accordingly, it is desirable to have a system and method for accessing a VPN that overcomes the above deficiencies associated with the prior art by utilizing virtual local area network (VLAN) tags.
SUMMARY
A system, device, and method for utilizing VLAN tags with a network access system, such as a VPN, are provided. An exemplary network access system may include a home agent in communication with a user device via a user session. Furthermore, an initiating security gateway may be in communication with the home agent. In addition, a terminating security gateway may be in communication with the initiating security gateway via a tunnel. Further, a VLAN tag associated with the user session may map to a selector operable in a security policy database.
In another aspect of the present embodiment, a method for transmitting a packet via an initiating security gateway may include receiving a packet including a virtual local area network tag and mapping the virtual local area network tag to a selector. Further, the method may include mapping the selector to a security policy stored within a security policy database. In addition, the method may include performing an IPsec procedure based on the security policy, and transmitting the packet to the terminating security gateway across a tunnel.
In yet another aspect of the present embodiment, a network system is provided. The network system may include a home agent in communication with a user device via a user session, and an access server that authenticates the user device and provides a virtual local area network tag for the user session to the home agent. Additionally, the network system may include an initiating security gateway that receives a packet including the virtual local area network tag from the home agent. The initiating security gateway may also include a selector table mapping the virtual local area network tag to a selector. Additionally, the network system may include a security policy database that maps the selector to at least one security policy defining an Internet Protocol security procedure, and the Internet Protocol security procedure may be applied to the packet. Furthermore, the network system may also include a receiving network having a terminating security gateway that receives the packet from the initiating security gateway via a tunnel.
In another aspect of the present embodiment, an initiating security gateway may include a selector module having a filtering mechanism for identifying a virtual local area network tag within a packet. Additionally, the selector module may also include a selector table for mapping the virtual local area network tag to a selector. The initiating security gateway may also include a security policy database for mapping the selector to an Internet Protocol security policy. Furthermore, the initiating security gateway may also include an Internet Protocol Security module for applying the Internet Protocol security policy to the packet while sending the packet to a terminating security gateway.
BRIEF DESCRIPTION OF DRAWINGS
FIG. 1 shows a block diagram overview of an exemplary embodiment of a virtual private network (VPN);
FIG. 2 shows a more detailed block diagram of an exemplary initiating security gateway of the VPN ofFIG. 1;
FIG. 3 shows a more detailed block diagram of connections between an exemplary initiating security gateway and terminating security gateway of the VPN ofFIG. 1;
FIG. 4 shows a more detailed block diagram of exemplary intermediate components within the VPN ofFIG. 1;
FIG. 5 shows a more detailed block diagram of exemplary network domains within the VPN ofFIG. 1;
FIG. 6 shows an exemplary selector table stored within the initiating security gateway ofFIG. 2 mapping virtual local area network (VLAN) tags to terminating security gateway addresses;
FIG. 7 shows an exemplary method of transmitting data from an initiating security gateway to a terminating security gateway of the VPN ofFIG. 1 using the table ofFIG. 6;
FIG. 8 shows an exemplary selector table stored within the initiating security gateway ofFIG. 2 mapping VLAN tags to network domains within the VPN; and
FIG. 9 shows an exemplary method of transmitting data from an initiating security gateway to a terminating security gateway of the VPN ofFIG. 1 using the table ofFIG. 8.
DETAILED DESCRIPTION
I. Exemplary Network Access System
In an exemplary network access system (e.g., VPN), a user device (e.g., computer, mobile phone) may establish a user session with a receiving network (e.g., corporate LAN, Internet). The user session may pass through a network backbone (e.g., Internet Service Provider (ISP)) having an initiating security gateway. Further, the user session may utilize a tunnel between the initiating security gateway and a terminating security gateway within the receiving network. IPsec procedures may be performed on packets transmitted along the tunnel during the user session.
A. Exemplary Use of Security Associations and IPsec
Before applying IPsec procedures to packets, a security association (SA) may be established for the user session. An SA may define authentication and encryption keys to be used by IPsec, as well as key lifetimes and key replacement procedures.
An SA may be uniquely identified by a security protocol identifier, an IP destination address, and a security parameter index (SPI). The security protocol identifier may identify the type of protocol(s) used by IPsec and may include an authentication header (AH) and/or encapsulated security payload (ESP). The SPI may be a random number (e.g., 32-bit value) that is communicated between the initiating and terminating security gateways. For more information on mechanisms for creating an SA, one can refer to Request for Comments (RFC) 2408, “Internet Security Association and Key Management Protocol (ISAKMP)”, and RFC 2409, “The Internet Key Exchange (IKE)”, respectively, the contents of which are incorporated in their entirety herein by reference.
After an SA has been established, packets utilizing IPsec may be transmitted along the secure user session. AHs may be used with packets to help ensure the integrity of the transmitted data (e.g., to certify that a packet has not been tampered with). Additionally, or alternatively, ESPs may be used for encrypting and securing a packet.
In addition, IPsec may be used in a transport mode, where packet data (but not the IP header) is encrypted. Alternatively, IPsec may be used in a tunnel mode, where the entire packet including the header is encrypted. A packet using IPsec may include a region called a selector for determining what part of the packet to encrypt or authenticate. When sending the packet from an initiating security gateway to the receiving network, an attempt may be made to match the selector specified within the packet to a set of selectors that correspond to IPsec policies and are stored within a security policy database (SPD). If a matching selector is found within the SPD, then its corresponding IPsec policy may be applied to the packet. For more information on IPsec, one can refer to RFC 2401, “Security Architecture for the Internet Protocol”, the contents of which are incorporated in its entirety herein by reference.
B. Assigning VLAN Tags to Exemplary User Sessions
A virtual local area network (VLAN) may be a network of devices that are on different physical LAN segments but act as if they are connected to the same wire. VLAN tags may be headers within a frame that are used for identifying the VLAN which the device sending the frame belongs to. For more information on VLANs and VLAN tags, one can refer to Institute for Electrical and Electronics Engineers (IEEE) 802.1q, the contents of which are incorporated in their entirety herein by reference.
In the present embodiment, a VLAN tag may be assigned to a new user session created between a user device and the receiving network. Packets subsequently sent by the user device that utilize the user session may include the assigned VLAN tag. When an initiating security gateway within the network backbone receives a packet from the user device, it may extract the VLAN tag from the packet. The current IPsec protocol generally does not allow the use of VLAN tags as selectors within an SPD. However, the VLAN tag may be provided to a selector table in order to find a corresponding selector (e.g., IP address or network domain name), and the selector may be provided to the SPD to obtain an IPsec policy. The selector and/or VLAN tag may also be used to obtain QoS markings that are subsequently applied to the packet.
After an IPsec policy has been obtained from the SPD, the initiating security gateway may perform IPsec procedures (e.g., creating an AH, ESP, IPsec tunnel) on the packet, and transmit the packet via a tunnel (e.g., IP-in-IP or IPsec tunnel) to a terminating security gateway within the receiving network. The terminating security gateway may then perform a reverse IPsec procedure on the packet, which may include decrypting and authenticating the packet based on the SPI, destination address, and security protocol identifier (e.g., AH or ESP).
Additionally, a second SPD within the terminating security gateway may then be searched for a value that matches an identification parameter specified within the packet (e.g., domain name or IP address for the user device). If no value matching the identification parameter is found, the packet may be dropped. If a matching value is found, the packet may be forwarded to a final destination as specified by its destination address.
For packets sent from the network to the user device utilizing the user session, IPsec procedures may be performed by the terminating security gateway, and a tunnel (e.g., IP-in-IP or IPsec tunnel) may be created to the initiating security gateway. A reverse IPsec procedure may then be performed within the initiating security gateway, and the packet may then be forwarded to the user device.
The present embodiments may include a number of advantages. VLAN tags may be used in the network access system for providing differentiated IPsec and/or QoS capabilities for packets sent along the tunnel during the user sessions. Additionally, the VLAN tags may enable load balancing of packet-switched data within the network access system. Further, the VLAN tags may provide greater flexibility to changes in the topology of the network access system.
II. Exemplary VPN
Turning now to the drawings,FIG. 1 is a block diagram overview of anexemplary VPN100, though any remotely accessible network or network access system may be used in alternate embodiments. TheVPN100 includes a network backbone120 having ahome agent130 in communication with an initiatingsecurity gateway140. One ormore user devices102,104,106 may be in communication with thehome agent130 via aforeign agent110. Additionally, one ormore user devices108 may be in direct communication with thehome agent130. Furthermore, anaccess server150 may be in communication with thehome agent130, and astorage unit160 may be connected to theaccess server150. The initiatingsecurity gateway140 may also communicate with a terminatingsecurity gateway180 within a receiving network170 (e.g., LAN). In the present embodiment, each of theuser devices102108 engages in a single user session “A–D”, respectively, with the terminatingsecurity gateway180, though multiple concurrent user sessions for a user device are also possible. For more information on network access systems and VPNs, one can refer to the commonly owned U.S. Pat. No. 6,151,628 and RFC 2764, “A Framework for IP Based Virtual Private Networks”, the contents of which are incorporated in their entirety herein by reference.
A. Exemplary Communication Mechanisms and User Devices
A variety of communication mechanisms may be used with theuser devices102108. For example, theuser devices102108 may utilize a dial-up (e.g., modem) connection mechanism for user sessions with thehome agent130. A variety of alternate connection mechanisms, including wireless, Ethernet, DSL, and cable connection mechanisms, may also be. utilized. Furthermore, any number of tunneling mechanisms (e.g., IPsec,Layer 2 Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP)) may also be utilized for these connections.
The connection mechanisms between other components within theVPN100 are preferably Ethernet connections upon which Transmission Control Protocol/Internet Protocol (TCP/IP) and/or Universal Datagram Protocol (UDP)/IP packets may be sent. Further, in an exemplary embodiment, the connection between thesecurity gateways140,180 may be an IP-in-IP or IPsec tunnel, as will be described later. It should be understood that any other connection known in the art that enables communication between network devices may also be utilized in the present embodiment.
Theuser devices102108 may include any device capable of connecting to thereceiving network170. In the present embodiment, theuser device102 may be a Personal Digital Assistant (PDA), theuser device104 may be a desktop computer, theuser device106 may be a laptop computer utilizing a wireless link, and theuser device108 may be a mobile phone. It should be understood that a variety of other user devices (e.g., videophones, facsimile machines, printers) may also be used with the present embodiment. Furthermore, although four (4) user devices are shown in the present embodiment, any number of different user devices may be utilized in theVPN100, and these user devices may form part of a LAN.
Theforeign agent110 may enable theuser devices102,104,106 to access thehome agent130 from a remote location. For example, theuser devices102,104,106 may use theforeign agent110 for their user sessions A–C if they are in a region not serviced by thehome agent130. Theforeign agent110 may then forward these user sessions A–C through thehome agent130. In a present embodiment, theforeign agent110 may be a Packet Data Serving Node (PDSN), but any known device having such functionality may alternatively be utilized (e.g., IP Routers, Wireless LAN Access Nodes, InterWorking Units (IWU)).
Additionally, it should be noted that theuser devices102,104,106,108, theforeign agent110, and/or thehome agent130 may communicate via any type of wireline (e.g., Ethernet) or wireless communication technology (e.g., Code-Division Multiple Access 2000 (CDMA2000), Global System for Mobile Communications (GSM), General Packet Radio Service (GPRS), Universal Mobile Telecommunications System (UMTS), 3G, WEEE 802.11, etc.). To illustrate, in an exemplary embodiment, theuser device102 may use antennas, packet control functions (PCFs), base transceiver stations (BTSs), base station controllers (BSCs), and/or mobile switching centers (MSCs) for wirelessly communicating with the foreign agent110 (e.g., PDSN) via CDMA2000 wireless technology.
B. Exemplary Network Backbone
The network backbone120 preferably enables theuser devices102108 to communicate with the receivingnetwork170. In the present embodiment, the network backbone120 may include an Internet Service Provider (ISP). ISPs and network backbones are well known in the art, and a variety of different commercial ISPs are in existence today, such as AOL-Time Warner, Inc. (New York, N.Y.) and United Online, Inc. (Westlake Village, Calif.). In the present embodiment, the network backbone120 may be a connection point of theVPN100, through which most components directly or indirectly communicate. It should be understood that the above recitation of commercial network backbones is meant to illustrate, not limit, the spirit and scope of the present embodiment.
Thehome agent130 may be a software or hardware entity within a remote access server (RAS) that theuser devices102108 remotely access in order to communicate with the receivingnetwork170. Additionally, thehome agent130 may be in communication with theaccess server150, and include a timeout mechanism (not shown) in order to timeout a connection to theaccess server150 if it is not responsive. In the present embodiment, thehome agent130 may be installed at a central office (CO) of a telephone company. Further, thehome agent130 may be capable of connecting and disconnecting thousands of user sessions from devices such asuser device108 and/or theforeign agent110. Anexemplary home agent130 for use in the present embodiment may be a software program running on the Total Control Enterprise Network Hub incorporating an integral general purpose computing platform, e.g., the HiPerAr™ card, both of which are commercially available from the present assignee, 3COM Corporation. This computing platform card may allow thehome agent130 to run a commercially available stand-alone operating system, such as a standard operating system or a custom operating system designed for theexemplary VPN100.
Additionally, thehome agent130 may utilize other remote access software products, such as RADIUS (Remote Authentication Dial In User Service) or DIAMETER software. These protocols may be utilized during communication with theaccess server150. Further, previously described connection mechanisms may also utilize the RADIUS protocol, which is described in RFC 2865, “Remote Authentication Dial In User Service (RADIUS)”, the contents of which are incorporated in its entirety herein by reference. It should be understood that a number of other commercially available or known home agents and connection protocols may also be utilized with the present embodiment.
The initiatingsecurity gateway140 may be any type of gateway device capable of creating a connection (e.g., tunnel) with the receivingnetwork170. The initiatingsecurity gateway140 may also be capable of adding QoS markings and performing IPsec procedures on a packet. As shown inFIG. 2, an exemplary embodiment of an initiatingsecurity gateway140 may include aselector module142,SPD144,QoS module146, andIPsec module148. Theseexemplary components142148 will be described in more detail shortly.
C. Exemplary Access Server and Storage Unit
Turning back toFIG. 1, theaccess server150 may be any type of server or computing device that performs authentication and access authorization foruser devices102108 connecting to thereceiving network170. Consistent with the RADIUS protocol, theaccess server150 may receive an access-request packet from thenetwork device110, and may respond with an access-accept packet or an access-reject packet (packets not shown). The format of access-request, access-accept, and access-reject packets is described within RFC 2865.
Theaccess server150 may use a variety of different mechanisms to authenticate theuser devices102108. One method of authorization includes telephone number or International Mobile Subscriber Identifier (IMSI) authentication, where theaccess server150 may validate the telephone number of theuser device102108 that dials in to thehome agent130. Thus, connection requests fromuser devices102108 with telephone numbers outside the coverage of the network backbone120 may be immediately rejected, forwarded to another network backbone (not shown), or forwarded to another access server.
Additionally, or alternatively, theaccess server150 may utilize a username/password authentication mechanism, where theuser devices102108 may submit a username and password that are subsequently analyzed by theaccess server150. If theaccess server150 determines that the username and password are not valid, the requested connection may be rejected with an access-reject packet. If the username and password are valid, theaccess server150 may enable thecorresponding user device102108 to access thereceiving network170 through an access-accept packet. If theaccess server150 is unavailable or unable to process the username and password that it has received, it may ask thehome agent130 to try a connection with another access server. Alternatively, other technologies may also be utilized for authenticating a user, such as face recognition, signature recognition, retina recognition, and DNA analysis. It should be understood that multiple access servers may be utilized in alternate embodiments and that some access servers, while operating independently, may operate on a single computing device or be integrated within a single housing.
Thestorage unit160 may be a relational database, or any other mechanism known in the art for storing data. Alternatively, an SRAM, DRAM, buffer, magnetic hard disk drive, or optical memory may be used as astorage unit160 in the present exemplary embodiment. Thestorage unit160 preferably stores and matches usernames and passwords, as well as other data (e.g., phone numbers) that may be used for identification and authentication of theuser devices102108. Thus, theaccess server150 may be in communication with and read data from thestorage unit160 when validating auser device102108. Additionally, when a new user device is added to the list ofuser devices102108 that are authorized to access thereceiving network170, theaccess server150 may record the new identification and authorization information (e.g., username, password, phone number, etc.) in thestorage unit160. Alternatively, this new data may be written to thestorage unit160 by other machines or input devices, such as a computer or user keypad (not shown). Additionally, it should be understood that identification and authentication information foruser devices102108 may be split among different storage areas, or that different storage areas may store redundant data.
Furthermore, theaccess server150 and/orstorage unit160 may assign a VLAN tag to the new user session during authorization. Thestorage unit160 may include a table mapping VLAN tags to domain names and/or terminating security gateways within the receivingnetwork170. Thus, the VLAN tag may be assigned to the new user session depending on the domain and/or terminating security gateway it will pass through within the receivingnetwork170 en route to its destination. To illustrate, in an exemplary scenario, a new user session may be created for theuser device106 after it is authenticated and authorized to access thereceiving network170 by theaccess server150. Theaccess server150 may then provide theuser device106 with a VLAN tag associated with a terminatingsecurity gateway180 that is en route to the final destination of the user session. The VLAN tag may then be saved within a mobility binding record (MBR) associated with the new user session within any number of different locations within theVPN100, such as within theuser device106 and/orhome agent130. The MBR may also include a variety of other types of information, such as the address of theforeign agent110, location and IP address of theuser device106, type of tunneling scheme used between theuser device106 and theforeign agent110, IP address of the initiatingsecurity gateway140, and lifetime of the MBR.
Continuing with the exemplary scenario, the VLAN tag associated with the new user session may be included in packets sent from theuser device106 to the initiatingsecurity gateway140. In an exemplary embodiment, thehome agent130 may add the VLAN tags to the packets, although other elements within the VPN100 (e.g.,user device106, foreign agent110) may additionally or alternatively add the VLAN tags. As will be described later, the VLAN tags within the packets may be mapped to a selector table within the initiatingsecurity gateway140 to find a corresponding selector. The selector may then be used to determine security policies and/or QoS markings for the packets.
D. Exemplary Receiving Network and Terminating Security Gateway
In the present embodiment, the receivingnetwork170 may be a corporate LAN that is accessible from the network backbone120. Of course, other types of networks (e.g., WANs or Asynchronous Transfer Mode (ATM) networks) may additionally or alternatively be utilized.
The terminatingsecurity gateway180 within the receivingnetwork170 may be similar to the initiatingsecurity gateway140. In the present embodiment, the terminatingsecurity gateway180 may include an SPD, IPsec module, and QoS module (components not shown). Preferably, the SPD within the terminatingsecurity gateway180 is statically configured to match theSPD144 within the initiatingsecurity gateway140, but dynamic configuration schemes and differences between the SPDs are possible. Further, the terminatingsecurity gateway180 may also include a selector module similar to theselector module142, though this is not utilized in the present embodiment.
When the terminatingsecurity gateway180 receives a packet from the initiatingsecurity gateway140, it may perform a reverse IPsec procedure on the packet. The reverse IPsec procedure may include terminating the tunnel (e.g., IP-in-IP or IPsec) for the packet, decrypting the encapsulated security payload and checking the authentication header for the integrity of the packet. After the reverse IPsec procedure has been performed, the packet may be forwarded to its final destination depending on its destination IP address.
III. Exemplary Initiating Security Gateway
Turning now toFIG. 2, an exemplary embodiment of the initiatingsecurity gateway140 is shown in more detail. As described previously, the initiatingsecurity gateway140 may include theselector module142,SPD144,QoS module146, andIPsec module148. More or fewer components may be used for the initiatingsecurity gateway140 in alternate embodiments, or various components may be combined. For example, in an alternate embodiment, theSPD144 may be part of theselector module142 or may be external to the initiatingsecurity gateway140. Further, any of thecomponents142148 may be software and/or hardware based, depending on their desired functionality.
A. Exemplary Selector Module
Theselector module142 may include a filtering mechanism for identifying VLAN tags within packets. In the present embodiment, theselector module142 may use the filtering mechanism to read and/or extract VLAN tags from packets sent from theuser devices102108 to the initiatingsecurity gateway140. The VLAN tags may be stored within any portion (e.g., MAC header) of the packets and may take any value, such as between 1 and 4095. Furthermore, theselector module142 may include a selector table that maps VLAN tags to selectors. These selectors may be subsequently used to find security policies within theSPD144. Exemplary selectors and selector tables that may be used in the present embodiment will be described in more detail shortly.
B. Exemplary Security Policy Database
TheSPD144 may be a relational database, but alternatively, may include a static random access memory (SRAM), dynamic random access memory (DRAM), buffer, magnetic hard disk drive, optical memory, or any other storage mechanism known in the art. In the present embodiment, theSPD144 may store different IPsec policies mapped to selectors. By providing a specific selector to theSPD144, a matching IPsec policy may be found. The IPsec policy may be subsequently applied to corresponding packets passing through the initiatingsecurity gateway140, as will be described later in an exemplary method.
C. Exemplary QoS Module
In the present embodiment, theQoS module146 may be in communication with theselector module142 and theIPsec module148. TheQoS module146 may also include a QoS table mapping QoS markings to VLAN tags included within the packets. Alternatively, or additionally, the QoS table may map the QoS markings to the selectors determined within theselector module142. Thus, depending on the VLAN tag and/or selector provided to theQoS module146, the QoS table may include a matching set of QoS markings may be provided. TheQoS module146 may then mark packets with matching QoS markings to indicate the desired service parameters of the packet-switched data (e.g., minimum throughput, maximum latency). Different user domains or user sessions may have different QoS parameters and thus, packet switched data for each user domain or session may be marked differently. In the present embodiment, QoS markings may be placed within the Type of Service (ToS) byte field within the IP packet header, though any portion of the packet may be marked in alternate embodiments. Further, the QoS table mapping the QoS markings may alternatively be stored within another component inside the initiating security gateway140 (e.g., the SPD144), and theQoS module146 may communicate with that component in order to obtain the proper QoS markings. For more information on QoS, one can refer to RFC 2386, “A Framework for QoS-based Routing in the Internet”, the contents of which are incorporated in its entirety herein by reference.
D. Exemplary IPsec Module
TheIPsec module148 may be used to initiate an IPsec tunnel between the initiatingsecurity gateway140 and the terminatingsecurity gateway180. Alternatively, or additionally, other tunneling mechanisms (e.g., IP-in-IP, L2TP, PPTP) may be utilized between thegateways140,180, and IPsec may be utilized in a transport mode. Further, theIPsec module148 may add an authentication header (AH) to packets passing through to help ensure the integrity of transmitted data. TheIPsec module148 may also encrypt the packet data and add an encapsulating security payload (ESP) to the header. For more information on IPsec, one can refer to the previously cited RFC 2401.
IV. Exemplary Connection between Gateways within the VPN
FIG. 3 shows exemplary connections between the initiatingsecurity gateway140 and terminatingsecurity gateways180a,180bwithin the receivingnetwork170. It should be understood that the terminatingsecurity gateways180a,180bare preferably substantially similar to the previously described terminatingsecurity gateway180. As shown inFIG. 3, packets containing VLAN tags of “1”, “2” and “3” may be forwarded from the initiatingsecurity gateway140 to the terminatingsecurity gateway180aalong connections “1”. “2”, and “3a”, respectively. Similarly, packets containing VLAN tags of “3” or “4” may be forwarded from the initiatingsecurity gateway140 to the terminatingsecurity gateway180balong connections “3b” and “4”, respectively. Although shown as separate connections, the connections “1”–“3a” and “3b”–“4” may share the same physical transmission lines. Further, it should be noted that a packet having a single VLAN tag (e.g., “3”) may be mapped to more than one terminatingsecurity gateway180a,180bwithin thesame receiving network170.
Using the present VPN configuration, differentiated QoS and/or IPsec procedures may be applied to packets having different VLAN tags. In an exemplary scenario, VLAN tags “1” and “4” may correspond to a basic level of QoS and/or IPsec service, VLAN tag “2” may correspond to an intermediate level of QoS and/or IPsec service, and VLAN tag “3” may correspond to a premium level of QoS and/or IPsec service. In the present scenario, each of the VLAN tags “1”–“4” directs a corresponding packet to thesame receiving network170. However, the actual VLAN tag assigned to a user session may affect the level of QoS and IPsec protection for the user session.
Additionally, the present configuration may enable load balancing of data traffic within theVPN100. For example, at a given time, user sessions utilizing VLAN tag “1” may be transmitting an especially high number of packets. At the same time, user sessions utilizing VLAN tag “4” may be transmitting a very low number of packets, possibly due to the termination of an abnormally large number of user sessions that utilize VLAN tag “4”. If the QoS and IPsec levels are the same for user sessions associated with VLAN tags “1” and “4”, theaccess server150 or other network component may intelligently assign new user sessions to VLAN tag “4” (corresponding to terminatingsecurity gateway180b) in order to load balance the data traffic and prevent an overload on terminatingsecurity gateway180a.
V. Exemplary Intermediate Components within the VPN
Turning now toFIG. 4, another exemplary embodiment of theVPN100 is shown having exemplary intermediate components. In the present embodiment, thehome agent130 may be in communication with a routing device302 (e.g., switch or router). Therouting device302 may be further in communication with initiatingsecurity gateways140a–d,which may be in communication with the terminatingsecurity gateways180a,180bwithin the receivingnetworks170a,170b,respectively. It should be understood that the initiatingsecurity gateways140a–d,receivingnetworks170a–b,and terminatingsecurity gateways180a–bare preferably substantially the same as the previously described initiatingsecurity gateway140, receivingnetwork170, and terminatingsecurity gateway180, respectively. Furthermore, the initiatingsecurity gateways140a–dmay communicate with one another and/or other elements within theVPN100 to facilitate load balancing. Also, the terminatinggateways180a–bmay have IP addresses of “149.112.213.100” and “168.114.200.104”, respectively, though any other type of address may alternatively be used. It should be further understood that any number of these or other components may be utilized in alternate embodiments. For example, additional switch(es) and compression server(s) may alternatively be utilized between thehome agent130 and therouting device302.
In the present embodiment, therouting device302 may forward packets from thehome agent130 to the initiatingsecurity gateways140a–ddepending on the VLAN tags contained within the packet. For example, if a packet has a VLAN tag of1, therouting device302 may route the packet to the initiatingsecurity gateway140a.Alternatively, if the packet has a VLAN tag of either a3 or a5, the packet may be forwarded to initiatingsecurity gateway140c.It should be evident that any number and combination of forwarding scenarios may be used in the present embodiment.
Once a packet reaches one of the initiatingsecurity gateways140a140d,it may be copied and/or forwarded to one or more of the terminatingsecurity gateways180a–b.Preferably, an IP-in-IP tunnel or IPsec tunnel is created at this stage in order to transport the packet. After the packet reaches one or more of the receivingnetworks170a–b,it may be forwarded to its appropriate destination (e.g., as specified by its destination IP address). An exemplary method of sending a packet from a user device to a receiving network will be described shortly.
Similar to the previous exemplary embodiment, theaccess server150 may assign VLAN tags to new user sessions in order to create differentiated QoS and/or IPsec services. Also, VLAN tags may also be intelligently assigned to enable load balancing of data traffic among the initiatingsecurity gateways140a–dand terminatingsecurity gateways180a–b.
VI. Exemplary Network Domains within VPN
Turning now toFIG. 5, an exemplary embodiment of theVPN100 is shown with a number ofnetwork domains172a–cforming part of the receivingnetwork170. In the present embodiment, packets including VLAN tags “1”–“5” may be received by the initiatingsecurity gateway140. Although shown as separate connections, the connections “1”–“3a” and “3b”–“4” may share the same physical transmission lines. These VLAN tags may be mapped to network domain names (e.g., “@mozart.music.3com.com”, “@beethoven.music.3com.com”, “@chopin.music.3com.com”) within the selector table. For example, packets including a VLAN tag of “5” may be forwarded to the network domain “@chopin.music.3com.com”, and packets including a VLAN tag of “3” may be copied and/or forwarded to network domains “@mozart.music.3com.com”, and “@beethoven.music.3com.com”. It should be understood that any number and type of network domains and domain names may be used with the present embodiment.
The network domain names may be used as selectors into theSPD144 for finding a corresponding IPsec policy and/or a corresponding TSGA. For example, if the domain name “@mozart.music.3com.com” is used as a selector to theSPD144, a corresponding IPsec policy and address of the corresponding terminatingsecurity gateway180amay be found. It should be understood that any number of terminating security gateways and network domains may map to one another. Additionally, theQoS module146 may use the network domain name, VLAN tag, and/or QoS table to find QoS markings for the packet. Further, theIPsec module148 may create a tunnel (e.g., IPsec tunnel) from the initiatingsecurity gateway140 to the terminatingsecurity gateway180a, and the packet may then be forwarded to the proper destination depending on the original destination address of the packet.
VII. Exemplary Selector Table and Selectors
FIG. 6 shows an exemplary selector table600 mapping VLAN tags610 to terminating security gateway addresses (TSGAs)620 for the terminatingsecurity gateways180a–binFIG. 4. In the present embodiment, theTSGAs620 may be used as selectors to theSPD144, though a number of other types of selectors may also be used, such as a source or destination IP address (e.g., IP version 4 (IPv4) or IP version 6 (IPv6)), user identification (e.g., a fully qualified user name string or X.500 distinguished name), system name (e.g., host or security gateway name), data sensitivity level (e.g., IP Security Option (IPSO)/Commercial IPSO (CIPSO) labels), transport layer protocol (e.g., obtained from the IPv4 “Protocol” or IPv6 “Next Header” fields), and source and destination (e.g., TCP or UDP) ports. As shown in the selector table600, multiple VLAN tags may map to the same TSGA (e.g.,entries632,634,636 andentries638,640,642), and one VLAN tag may map to multiple TSGAs (e.g.,entries636,638). Further, a VLAN tag and a TSGA may uniquely map to one another.
Corresponding to the exemplary embodiment shown inFIG. 4, each of the initiatingsecurity gateways140a–dmay include the entire selector table600. Alternatively, each initiatingsecurity gateway140a–dmay store a portion of the selector table600 relevant to the VLAN tag(s) associated with that initiatingsecurity gateway140a–d.For example, the initiatingsecurity gateway140amay storeentry632 corresponding to VLAN tag “1”, and the initiatingsecurity gateway140cmay storeentries636,638, and642, corresponding to VLAN tags “3” and “5”.
Although the TSGAs may use IP addresses in the present embodiment, other types of addressing (e.g., Media Access Control (MAC)) may also be utilized. Furthermore, it should be noted that within the current IPsec protocol, VLAN tags are not usable as selectors. Thus, the present embodiment may be used to provide a method of differentiating IPsec policy by using VLAN tags.
VII. Exemplary Method of Packet Transmission
FIG. 7 shows anexemplary method700 of transmitting data within theVPN100 using the selector table600 and the exemplary configuration shown inFIG. 4. Although thepresent method700 describes a user session “A” for theuser device102, it should be understood that themethod700 may alternatively be applied to any number and type of user sessions and devices, with any number of different configurations for theVPN100.
In thepresent method700, theuser device102 may already have established an SA and a user session “A” with the terminatingsecurity gateway180awithin the receivingnetwork170a.Theuser device102 may also already be authenticated and authorized by theaccess server150 to access thereceiving network170a.Further, theaccess server150 may have already provided a VLAN tag (e.g., VLAN tag “1”) for the user session “A”.
In thefirst step702, theuser device102 may send a packet to thehome agent130 during the user session “A”. Thehome agent130 may include the VLAN tag in the packet and forward the packet to theselector module142 within the initiatingsecurity gateway140a.Theselector module142 may utilize the selecting mechanism (e.g., filter) for recognizing and obtaining the VLAN tag value within the packet.
In thefollowing step704, the VLAN tag may be mapped to one or more of theTSGAs620 within the selection table600. In the present embodiment, the VLAN tag may correspond to a TSGA that is the address of the terminatingsecurity gateway180a.This TSGA may then be used as a selector within theSPD144.
Additionally, instep706, theselection module142 may perform IP-in-IP tunneling on the packet. Thus, theselection module142 may add a destination address to the packet header that corresponds to the address of the terminatingsecurity gateway180a.Theselection module142 may also add a source address to the packet header that corresponds to the address of the initiatingsecurity gateway140a.
Instep708, the packet may be forwarded to theQoS module146, where the packet may be marked by QoS markings. TheQoS module146 may add the QoS markings to the ToS byte or other field within the packet. Furthermore, the QoS markings for the packet may be determined by querying the QoS table with the selector (e.g., TSGA) and/or VLAN tag.
In thefollowing step710, the packet may be forwarded to theIPsec module148, which may initiate IPsec procedures on the packet. TheIPsec module148 may use the address of the terminatingsecurity gateway180aas a selector within theSPD144 in order to extract a corresponding IPsec policy. TheIPsec module148 may then apply the IPsec policy to the packet, which may include adding an authentication header and/or encapsulated security payload to the packet header. The IPsec policy may also specify additional tunneling mechanisms (e.g., IPsec tunnel) to be implemented on top of the IP-in-IP tunnel.
Instep712, the packet may be transmitted from the initiatingsecurity gateway140ato the terminatingsecurity gateway180aacross the IP-in-IP tunnel. In thefollowing step714, the terminatingsecurity gateway180amay perform a reverse IPsec procedure, which may include decapsulating the tunneled packet, decrypting the packet, checking the authentication header to help ensure the integrity of the packet data, and comparing the selector within the packet to selectors within the locally stored SPD.
Instep716, the packet may then be forwarded to its final destination, as specified by the packet's original destination address. The final destination may be located internal or external to thenetwork170a.
For packets sent from the terminatingsecurity gateway180ato theuser device102 utilizing the user session “A”, the terminatingsecurity gateway180amay perform IPsec procedures on the packets and create a tunnel (e.g., IP-in-IP or IPsec tunnel) to the initiatingsecurity gateway140a.A reverse IPsec procedure may then be performed within the initiatingsecurity gateway140a,and the packet may be forwarded to theuser device102.
IX. Another Exemplary Selector Table
Turning now toFIG. 8, a second selector table800 is shown havingVLAN tags810 corresponding todomain names820. The selector table800 may be substantially similar to the table600 except that theTSGAs620 have been replaced withdomain names820 corresponding to thenetwork domains172a–cas shown inFIG. 5. For example, as shown inentry832, a VLAN tag of “1” may correspond to thenetwork domain172athat has the domain name “@mozart.music.3com.com”.
Additionally, thedomain names820 may be used as selectors within theSPD144. It should be understood that thedomain names820, as well as theTSGAs620, are merely exemplary, and that any type or number of such selectors may be utilized with the present embodiment.
X. Exemplary Selector Table Configuration
A network administrator may statically configure a selector table (e.g., selector tables600,800) within the initiatingsecurity gateway140 to match the table within thestorage unit160 used for assigning VLAN tags. Alternatively, a selector table may be dynamically configured and matched to the table within thestorage unit160. In a dynamic configuration scheme, a change in the table within thestorage unit160 may trigger the same change within the selector table. Such a change may be communicated between thestorage unit160 and the initiatingsecurity gateway140 using any type of communication medium (e.g., Ethernet, wireless communications, etc.). A dynamic configuration scheme may be advantageous, since a change in the storage unit table (e.g., caused by a change in network configuration) may automatically cause a change within a selector table (e.g., selector tables600 or800), thus reducing the need for manual reconfiguration of the selector table.
XI. Another Exemplary Method of Packet Transmission
FIG. 9 shows anotherexemplary method900 of transmitting data within theVPN100 using the selector table800 and the exemplary configuration shown inFIG. 5. Thepresent method900 is preferably substantially similar to the previously describedmethod700 except that thedomain names820 may be used as selectors within theSPD144 instead of theTSGAs620. Furthermore, although thepresent method900 describes a user session “A” for theuser device102, it should be understood that themethod900 may alternatively be applied to any number and type of user sessions and devices, with any number of different configurations for theVPN100.
In thepresent method900, theuser device102 may already have established an SA and a user session “A” with the terminatingsecurity gateway180awithin the receivingnetwork170a.Theuser device102 may also already be authenticated and authorized by theaccess server150 to access thereceiving network170a.Further, theaccess server150 may have already provided a VLAN tag (e.g., VLAN tag “1”) for the user session “A”.
In thefirst step902, theuser device102 may send a packet to thehome agent130 during the user session “A”. Furthermore, thehome agent130 may add to the packet a VLAN tag (e.g., “1”) that is assigned to the user session “A”. Thehome agent130 may then forward the packet to theselector module142 within the initiatingsecurity gateway140. Theselector module142 may utilize the selecting mechanism (e.g., filter) for recognizing and extracting the VLAN tag within the packet.
In thefollowing step904, the VLAN tag may be mapped to one or more of thedomain names820 within the selection table800. As shown inFIG. 8, the VLAN tag “1” may correspond to the domain name “@mozart.music.3com.com”. Instep906, this domain name may be used as a selector within theSPD144.
Instep908, the packet may be forwarded to theQoS module146, where the packet may be marked by QoS markings. TheQoS module146 may add the QoS markings to the ToS byte or other field within the packet. Furthermore, the QoS markings for the packet may be determined by querying the QoS table with the selector (e.g., domain name) and/or VLAN tag.
In thefollowing step910, the packet may be forwarded to theIPsec module148, which may initiate IPsec-procedures on the packet. TheIPsec module148 may use the domain names (e.g., “@mozart.music.3com.com”) as a selector within theSPD144 in order to extract a corresponding IPsec policy. TheIPsec module148 may then apply the IPsec policy to the packet, which may include adding an authentication header and/or encapsulated security payload to the packet header. Furthermore, theIPsec module148 may initiate an IPsec tunnel between the initiatingsecurity gateway140 and the terminatingsecurity gateway180ain order to forward the packet to thenetwork domain172a(having the domain name “@mozart.music.3com.com”).
Instep912, the packet may be transmitted from the initiatingsecurity gateway140 to the terminatingsecurity gateway180aacross the IPsec tunnel. In thefollowing step914, the terminatingsecurity gateway180amay perform a reverse IPsec procedure, which may include decapsulating the tunneled packet, decrypting the packet, checking the authentication header to help ensure the integrity of the packet data, and comparing the selector within the packet to selectors within the locally stored SPD.
Instep916, the packet may then be forwarded to its final destination, as specified by the packet's original destination address. The final destination may be located internal or external to thereceiving network170.
For packets sent from the terminatingsecurity gateway180ato theuser device102 utilizing the user session “A”, IPsec procedures may be performed by the terminatingsecurity gateway180a,and a tunnel (e.g., IP-in-IP or IPsec tunnel) may be created to the initiatingsecurity gateway140. A reverse IPsec procedure may then be performed within the initiatingsecurity gateway140, and the packet may be forwarded to theuser device102.
The present embodiments may provide a number of advantages. First, by utilizing VLAN tags for identifying user domains or user sessions, differentiated tunneling and/or Quality of Service capabilities may be specified by the user for each of these sessions. Additionally, the use of VLAN tags may enable a flexible network topology that is easily scalable as the number of user devices changes. Furthermore, by mapping VLAN tags to user sessions, the present embodiments may allow a convenient and organized way of assigning priorities to different user domains or user sessions. Additionally, the present embodiments may enable load balancing of packet switched-data through a VPN though the use of VLAN tags.
It should be understood that a wide variety of additions and modifications may be made to the exemplary embodiments described within the present application. For example, more or fewer components (e.g., switches) may be utilized with theVPN100 depending on its desired functionality. Further, in an alternate embodiment, thehome agent130 and the initiatingsecurity gateway140 may be stored within the same housing and be part of a single hardware component, and the single hardware component may also perform compression/decompression procedures. It is therefore intended that the foregoing description illustrates rather than limits this invention and that it is the following claims, including all of the equivalents, which define this invention:

Claims (32)

20. A network system comprising:
a home agent in communication with a user device via a user session;
an access server that authenticates the user device and provides a virtual local area network tag for the user session to the home agent;
an initiating security gateway that receives a packet including the virtual local area network tag from the home agent, wherein the initiating security gateway includes a selector table mapping the virtual local area network tag to a selector;
a security policy database that is associated with a Internet Protocol Security protocol, wherein the security policy database maps the selector to at least one security policy defining an Internet Protocol security procedure, wherein the Internet Protocol security procedure is applied to the packet; and
a receiving network including a terminating security gateway that receives the packet from the initiating security gateway via a tunnel.
US10/279,3642002-10-242002-10-24System and method for using virtual local area network tags with a virtual private networkExpired - LifetimeUS7062566B2 (en)

Priority Applications (4)

Application NumberPriority DateFiling DateTitle
US10/279,364US7062566B2 (en)2002-10-242002-10-24System and method for using virtual local area network tags with a virtual private network
AU2003287191AAU2003287191A1 (en)2002-10-242003-10-23System and method for using virtual local area network tags with a private network
PCT/US2003/033643WO2004038559A2 (en)2002-10-242003-10-23System and method for using virtual local area network tags with a private network
TW092129674ATW200420071A (en)2002-10-242003-10-24System and method for using virtual local area network tags with a virtual private network

Applications Claiming Priority (1)

Application NumberPriority DateFiling DateTitle
US10/279,364US7062566B2 (en)2002-10-242002-10-24System and method for using virtual local area network tags with a virtual private network

Publications (2)

Publication NumberPublication Date
US20040083295A1 US20040083295A1 (en)2004-04-29
US7062566B2true US7062566B2 (en)2006-06-13

Family

ID=32106689

Family Applications (1)

Application NumberTitlePriority DateFiling Date
US10/279,364Expired - LifetimeUS7062566B2 (en)2002-10-242002-10-24System and method for using virtual local area network tags with a virtual private network

Country Status (4)

CountryLink
US (1)US7062566B2 (en)
AU (1)AU2003287191A1 (en)
TW (1)TW200420071A (en)
WO (1)WO2004038559A2 (en)

Cited By (90)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US20040139313A1 (en)*2002-12-052004-07-15Buer Mark L.Tagging mechanism for data path security processing
US20040143734A1 (en)*2002-12-052004-07-22Buer Mark L.Data path security processing
US20040148430A1 (en)*2003-01-242004-07-29Narayanan Ram Gopal LakshmiEstablishing communication tunnels
US20040219543A1 (en)*2001-04-022004-11-04Ralph WirtzMethod for specifically detecting, isolating and characterizing cells from body samples by transfecting nucleic acid constructs
US20040266420A1 (en)*2003-06-242004-12-30Nokia Inc.System and method for secure mobile connectivity
US20050055570A1 (en)*2003-09-042005-03-10Foundry Networks, Inc.Multiple tiered network security system, method and apparatus using dynamic user policy assignment
US20050182941A1 (en)*2004-02-162005-08-18Microsoft CorporationGeneric security claim processing model
US20050180358A1 (en)*2004-02-132005-08-18Trapeze Networks, Inc.Station mobility between access points
US20050182957A1 (en)*2004-02-162005-08-18Microsoft CorporationSecurity scopes and profiles
US20050193202A1 (en)*2004-02-262005-09-01Microsoft CorporationDigests to identify elements in a signature process
US20060130136A1 (en)*2004-12-012006-06-15Vijay DevarapalliMethod and system for providing wireless data network interworking
US20070086378A1 (en)*2005-10-132007-04-19Matta Sudheer P CSystem and method for wireless network monitoring
US7298702B1 (en)*2002-12-202007-11-20Sprint Spectrum L.P.Method and system for providing remote telephone service via a wireless local area network
US20080072226A1 (en)*2006-06-222008-03-20American Express Travel Related Services Co., Inc. A New York CorporationSystems, Methods, and Computer Program Products for Transaction Based Load Balancing
US20080151844A1 (en)*2006-12-202008-06-26Manish TiwariWireless access point authentication system and method
US20080159319A1 (en)*2006-12-282008-07-03Matthew Stuart GastSystem and method for aggregation and queuing in a wireless network
US20080276085A1 (en)*2007-05-022008-11-06Cisco Technology, Inc.Allowing differential processing of encrypted tunnels
US20090016259A1 (en)*2007-07-132009-01-15Nortel Networks LimitedQuality of service control in multiple hop wireless communication environments
US7516487B1 (en)2003-05-212009-04-07Foundry Networks, Inc.System and method for source IP anti-spoofing security
US7523485B1 (en)2003-05-212009-04-21Foundry Networks, Inc.System and method for source IP anti-spoofing security
US20090274060A1 (en)*2005-10-132009-11-05Trapeze Networks, Inc.System and method for remote monitoring in a wireless network
US7633909B1 (en)2002-12-202009-12-15Sprint Spectrum L.P.Method and system for providing multiple connections from a common wireless access point
US20090323531A1 (en)*2006-06-012009-12-31Trapeze Networks, Inc.Wireless load balancing
US20100077447A1 (en)*2005-12-282010-03-25Foundry Networks, Inc.Authentication techniques
US20100118882A1 (en)*2008-11-102010-05-13H3C Technologies Co., Ltd.Method, Apparatus, and System For Packet Transmission
US7724704B2 (en)2006-07-172010-05-25Beiden Inc.Wireless VLAN system and method
US7768941B1 (en)*2002-08-282010-08-03Sprint Spectrum L.P.Method and system for initiating a virtual private network over a shared network on behalf of a wireless terminal
US7774833B1 (en)2003-09-232010-08-10Foundry Networks, Inc.System and method for protecting CPU against remote access attacks
US20100246426A1 (en)*2009-03-252010-09-30Christian BergeMethod allowing a monitoring system of the network of an operator to classify ip flows
US20100325700A1 (en)*2003-08-012010-12-23Brocade Communications Systems, Inc.System, method and apparatus for providing multiple access modes in a data communications network
US7865713B2 (en)2006-12-282011-01-04Trapeze Networks, Inc.Application-aware wireless network system and method
US20110023125A1 (en)*2009-07-242011-01-27Yongbum KimMethod and system for integrating remote devices into a domestic vlan
US7912982B2 (en)2006-06-092011-03-22Trapeze Networks, Inc.Wireless routing selection system and method
US20110113490A1 (en)*2005-12-282011-05-12Foundry Networks, LlcTechniques for preventing attacks on computer systems and networks
WO2011120381A1 (en)*2010-04-012011-10-06中兴通讯股份有限公司Quality of service processing method and device for virtual private network traffic
US8072952B2 (en)2006-10-162011-12-06Juniper Networks, Inc.Load balancing
US8150357B2 (en)2008-03-282012-04-03Trapeze Networks, Inc.Smoothing filter for irregular update intervals
US8161278B2 (en)2005-03-152012-04-17Trapeze Networks, Inc.System and method for distributing keys in a wireless network
US8238298B2 (en)2008-08-292012-08-07Trapeze Networks, Inc.Picking an optimal channel for an access point in a wireless network
US8238942B2 (en)2007-11-212012-08-07Trapeze Networks, Inc.Wireless station location detection
US8270408B2 (en)2005-10-132012-09-18Trapeze Networks, Inc.Identity-based networking
US8340110B2 (en)2006-09-152012-12-25Trapeze Networks, Inc.Quality of service provisioning for wireless networks
US8457031B2 (en)2005-10-132013-06-04Trapeze Networks, Inc.System and method for reliable multicast
US8474023B2 (en)2008-05-302013-06-25Juniper Networks, Inc.Proactive credential caching
US8509128B2 (en)2007-09-182013-08-13Trapeze Networks, Inc.High level instruction convergence function
US8528071B1 (en)2003-12-052013-09-03Foundry Networks, LlcSystem and method for flexible authentication in a data communications network
US8542836B2 (en)2010-12-012013-09-24Juniper Networks, Inc.System, apparatus and methods for highly scalable continuous roaming within a wireless network
US8612744B2 (en)2011-02-102013-12-17Varmour Networks, Inc.Distributed firewall architecture using virtual machines
US8638762B2 (en)2005-10-132014-01-28Trapeze Networks, Inc.System and method for network integrity
US8813169B2 (en)2011-11-032014-08-19Varmour Networks, Inc.Virtual security boundary for physical or virtual network devices
US8818322B2 (en)2006-06-092014-08-26Trapeze Networks, Inc.Untethered access point mesh system and method
US8902904B2 (en)2007-09-072014-12-02Trapeze Networks, Inc.Network assignment based on priority
US8964747B2 (en)2006-05-032015-02-24Trapeze Networks, Inc.System and method for restricting network access using forwarding databases
US8966018B2 (en)2006-05-192015-02-24Trapeze Networks, Inc.Automated network device configuration and network deployment
US8978105B2 (en)2008-07-252015-03-10Trapeze Networks, Inc.Affirming network relationships and resource access via related networks
US9191327B2 (en)2011-02-102015-11-17Varmour Networks, Inc.Distributed service processing of network gateways using virtual machines
US9191799B2 (en)2006-06-092015-11-17Juniper Networks, Inc.Sharing data between wireless switches system and method
US9258702B2 (en)2006-06-092016-02-09Trapeze Networks, Inc.AP-local dynamic switching
US9294442B1 (en)2015-03-302016-03-22Varmour Networks, Inc.System and method for threat-driven security policy controls
US9380027B1 (en)2015-03-302016-06-28Varmour Networks, Inc.Conditional declarative policies
US9438634B1 (en)2015-03-132016-09-06Varmour Networks, Inc.Microsegmented networks that implement vulnerability scanning
US9467476B1 (en)2015-03-132016-10-11Varmour Networks, Inc.Context aware microsegmentation
US9483317B1 (en)2015-08-172016-11-01Varmour Networks, Inc.Using multiple central processing unit cores for packet forwarding in virtualized networks
US9521115B1 (en)2016-03-242016-12-13Varmour Networks, Inc.Security policy generation using container metadata
US9525697B2 (en)2015-04-022016-12-20Varmour Networks, Inc.Delivering security functions to distributed networks
US9529995B2 (en)2011-11-082016-12-27Varmour Networks, Inc.Auto discovery of virtual machines
US9560081B1 (en)2016-06-242017-01-31Varmour Networks, Inc.Data network microsegmentation
US9609026B2 (en)2015-03-132017-03-28Varmour Networks, Inc.Segmented networks that implement scanning
US9680852B1 (en)2016-01-292017-06-13Varmour Networks, Inc.Recursive multi-layer examination for computer network security remediation
US9762599B2 (en)2016-01-292017-09-12Varmour Networks, Inc.Multi-node affinity-based examination for computer network security remediation
US9787639B1 (en)2016-06-242017-10-10Varmour Networks, Inc.Granular segmentation using events
US9973472B2 (en)2015-04-022018-05-15Varmour Networks, Inc.Methods and systems for orchestrating physical and virtual switches to enforce security boundaries
US10009381B2 (en)2015-03-302018-06-26Varmour Networks, Inc.System and method for threat-driven security policy controls
US10091238B2 (en)2014-02-112018-10-02Varmour Networks, Inc.Deception using distributed threat detection
US10178070B2 (en)2015-03-132019-01-08Varmour Networks, Inc.Methods and systems for providing security to distributed microservices
US10193929B2 (en)2015-03-132019-01-29Varmour Networks, Inc.Methods and systems for improving analytics in distributed networks
US10191758B2 (en)2015-12-092019-01-29Varmour Networks, Inc.Directing data traffic between intra-server virtual machines
US10264025B2 (en)2016-06-242019-04-16Varmour Networks, Inc.Security policy generation for virtualization, bare-metal server, and cloud computing environments
US10755334B2 (en)2016-06-302020-08-25Varmour Networks, Inc.Systems and methods for continually scoring and segmenting open opportunities using client data and product predictors
US11290493B2 (en)2019-05-312022-03-29Varmour Networks, Inc.Template-driven intent-based security
US11290494B2 (en)2019-05-312022-03-29Varmour Networks, Inc.Reliability prediction for cloud security policies
US11310284B2 (en)2019-05-312022-04-19Varmour Networks, Inc.Validation of cloud security policies
US11575563B2 (en)2019-05-312023-02-07Varmour Networks, Inc.Cloud security management
US11711374B2 (en)2019-05-312023-07-25Varmour Networks, Inc.Systems and methods for understanding identity and organizational access to applications within an enterprise environment
US11734316B2 (en)2021-07-082023-08-22Varmour Networks, Inc.Relationship-based search in a computing environment
US11777978B2 (en)2021-01-292023-10-03Varmour Networks, Inc.Methods and systems for accurately assessing application access risk
US11818152B2 (en)2020-12-232023-11-14Varmour Networks, Inc.Modeling topic-based message-oriented middleware within a security system
US11863580B2 (en)2019-05-312024-01-02Varmour Networks, Inc.Modeling application dependencies to identify operational risk
US11876817B2 (en)2020-12-232024-01-16Varmour Networks, Inc.Modeling queue-based message-oriented middleware relationships in a security system
US12050693B2 (en)2021-01-292024-07-30Varmour Networks, Inc.System and method for attributing user behavior from multiple technical telemetry sources

Families Citing this family (88)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US7120791B2 (en)*2002-01-252006-10-10Cranite Systems, Inc.Bridged cryptographic VLAN
US7986937B2 (en)*2001-12-202011-07-26Microsoft CorporationPublic access point
US7188364B2 (en)*2001-12-202007-03-06Cranite Systems, Inc.Personal virtual bridged local area networks
AU2003279950A1 (en)2002-10-102004-05-04Rocksteady Networks, Inc.System and method for providing access control
WO2004036371A2 (en)2002-10-162004-04-29Rocksteady Networks, Inc.System and method for dynamic bandwidth provisioning
US7567510B2 (en)*2003-02-132009-07-28Cisco Technology, Inc.Security groups
US20040162996A1 (en)*2003-02-182004-08-19Nortel Networks LimitedDistributed security for industrial networks
US7624438B2 (en)2003-08-202009-11-24Eric WhiteSystem and method for providing a secure connection between networked computers
US7574603B2 (en)*2003-11-142009-08-11Microsoft CorporationMethod of negotiating security parameters and authenticating users interconnected to a network
US7706382B2 (en)2004-01-302010-04-27Hewlett-Packard Development Company, L.P.Method and system for managing a network having multiple domains
GB0404444D0 (en)*2004-02-272004-09-01Bae Sys Defence Sys LtdSecure computer communication
US7610621B2 (en)*2004-03-102009-10-27Eric WhiteSystem and method for behavior-based firewall modeling
US7665130B2 (en)*2004-03-102010-02-16Eric WhiteSystem and method for double-capture/double-redirect to a different location
US8543710B2 (en)*2004-03-102013-09-24Rpx CorporationMethod and system for controlling network access
US7562389B1 (en)2004-07-302009-07-14Cisco Technology, Inc.Method and system for network security
US7555774B2 (en)*2004-08-022009-06-30Cisco Technology, Inc.Inline intrusion detection using a single physical port
US20060190990A1 (en)*2005-02-232006-08-24Shimon GruperMethod and system for controlling access to a service provided through a network
JP4695465B2 (en)*2004-09-282011-06-08株式会社リコー Image forming apparatus, hardware control method, and hardware control program
US7937761B1 (en)*2004-12-172011-05-03Symantec CorporationDifferential threat detection processing
JP4759382B2 (en)*2004-12-212011-08-31株式会社リコー COMMUNICATION DEVICE, COMMUNICATION METHOD, COMMUNICATION PROGRAM, AND RECORDING MEDIUM
US7725938B2 (en)2005-01-202010-05-25Cisco Technology, Inc.Inline intrusion detection
WO2006136183A1 (en)*2005-06-202006-12-28Telefonaktiebolaget L M Ericsson (Publ)Quality of service in vlan-based access networks
US20070006294A1 (en)*2005-06-302007-01-04Hunter G KSecure flow control for a data flow in a computer and data flow in a computer network
US20070011448A1 (en)*2005-07-062007-01-11Microsoft CorporationUsing non 5-tuple information with IPSec
US20070067381A1 (en)*2005-09-192007-03-22The Sco Group, Inc.Systems and methods for providing distributed applications and services for intelligent mobile devices
US8576846B2 (en)*2005-10-052013-11-05Qualcomm IncorporatedPeer-to-peer communication in ad hoc wireless network
US8635450B2 (en)*2005-12-282014-01-21Intel CorporationIP encapsulation with exposed classifiers
US20070204158A1 (en)*2006-02-282007-08-30Symbol Technologies, Inc.Methods and apparatus for encryption key management
US8023479B2 (en)2006-03-022011-09-20Tango Networks, Inc.Mobile application gateway for connecting devices on a cellular network with individual enterprise and data networks
US7843901B2 (en)2006-03-022010-11-30Tango Networks, Inc.Call flow system and method for use in a legacy telecommunication system
US11405846B2 (en)2006-03-022022-08-02Tango Networks, Inc.Call flow system and method for use in a legacy telecommunication system
US8175053B2 (en)*2006-03-022012-05-08Tango Networks, Inc.System and method for enabling VPN-less session setup for connecting mobile data devices to an enterprise data network
US7890096B2 (en)2006-03-022011-02-15Tango Networks, Inc.System and method for enabling call originations using SMS and hotline capabilities
ATE473586T1 (en)*2006-04-282010-07-15Koninkl Kpn Nv CASCADE OF OUT-OF-BOX SERVICES
US7849505B2 (en)*2006-08-172010-12-07At&T Intellectual Property I, LpSystem and method of selecting a virtual private network access server
US8379638B2 (en)*2006-09-252013-02-19Certes Networks, Inc.Security encapsulation of ethernet frames
US8607302B2 (en)*2006-11-292013-12-10Red Hat, Inc.Method and system for sharing labeled information between different security realms
US7853691B2 (en)*2006-11-292010-12-14Broadcom CorporationMethod and system for securing a network utilizing IPsec and MACsec protocols
KR101323852B1 (en)*2007-07-122013-10-31삼성전자주식회사 Virtual firewall system based on public security policy and its control method
US8156541B1 (en)*2007-10-172012-04-10Mcafee, Inc.System, method, and computer program product for identifying unwanted activity utilizing a honeypot device accessible via VLAN trunking
US8576874B2 (en)2007-10-302013-11-05Qualcomm IncorporatedMethods and apparatus to provide a virtual network interface
TWI366376B (en)*2008-06-112012-06-11Chunghwa Telecom Co LtdSystem and method identity verification applicable to exclusive simulation network
US10411975B2 (en)2013-03-152019-09-10Csc Agility Platform, Inc.System and method for a cloud computing abstraction with multi-tier deployment policy
US9489647B2 (en)2008-06-192016-11-08Csc Agility Platform, Inc.System and method for a cloud computing abstraction with self-service portal for publishing resources
US20140201017A1 (en)2008-06-192014-07-17Servicemesh, Inc.Systems and methods for providing repeated use of computing resources
AU2009259876A1 (en)2008-06-192009-12-23Servicemesh, Inc.Cloud computing gateway, cloud computing hypervisor, and methods for implementing same
US9069599B2 (en)*2008-06-192015-06-30Servicemesh, Inc.System and method for a cloud computing abstraction layer with security zone facilities
CN101621503A (en)*2008-06-302010-01-06中华电信股份有限公司Identity recognition system and method applied to virtual private network architecture
US20100011099A1 (en)*2008-07-092010-01-14General Instrument CorporationMethod and apparatus for monitoring and logging communication sessions
US8010085B2 (en)*2008-11-192011-08-30Zscaler, Inc.Traffic redirection in cloud based security services
US8918631B1 (en)*2009-03-312014-12-23Juniper Networks, Inc.Methods and apparatus for dynamic automated configuration within a control plane of a switch fabric
US9129295B2 (en)2010-02-282015-09-08Microsoft Technology Licensing, LlcSee-through near-eye display glasses with a fast response photochromic film system for quick transition from dark to clear
US9097891B2 (en)2010-02-282015-08-04Microsoft Technology Licensing, LlcSee-through near-eye display glasses including an auto-brightness control for the display brightness based on the brightness in the environment
US20150309316A1 (en)2011-04-062015-10-29Microsoft Technology Licensing, LlcAr glasses with predictive control of external device based on event input
US9341843B2 (en)2010-02-282016-05-17Microsoft Technology Licensing, LlcSee-through near-eye display glasses with a small scale image source
US9366862B2 (en)2010-02-282016-06-14Microsoft Technology Licensing, LlcSystem and method for delivering content to a group of see-through near eye display eyepieces
US9134534B2 (en)2010-02-282015-09-15Microsoft Technology Licensing, LlcSee-through near-eye display glasses including a modular image source
US9759917B2 (en)2010-02-282017-09-12Microsoft Technology Licensing, LlcAR glasses with event and sensor triggered AR eyepiece interface to external devices
US9182596B2 (en)2010-02-282015-11-10Microsoft Technology Licensing, LlcSee-through near-eye display glasses with the optical assembly including absorptive polarizers or anti-reflective coatings to reduce stray light
US9128281B2 (en)2010-09-142015-09-08Microsoft Technology Licensing, LlcEyepiece with uniformly illuminated reflective display
US9091851B2 (en)2010-02-282015-07-28Microsoft Technology Licensing, LlcLight control in head mounted displays
US9223134B2 (en)2010-02-282015-12-29Microsoft Technology Licensing, LlcOptical imperfections in a light transmissive illumination system for see-through near-eye display glasses
US9229227B2 (en)2010-02-282016-01-05Microsoft Technology Licensing, LlcSee-through near-eye display glasses with a light transmissive wedge shaped illumination system
US9285589B2 (en)2010-02-282016-03-15Microsoft Technology Licensing, LlcAR glasses with event and sensor triggered control of AR eyepiece applications
WO2011106797A1 (en)2010-02-282011-09-01Osterhout Group, Inc.Projection triggering through an external marker in an augmented reality eyepiece
US10180572B2 (en)2010-02-282019-01-15Microsoft Technology Licensing, LlcAR glasses with event and user action control of external applications
US9097890B2 (en)2010-02-282015-08-04Microsoft Technology Licensing, LlcGrating in a light transmissive illumination system for see-through near-eye display glasses
US20120249797A1 (en)2010-02-282012-10-04Osterhout Group, Inc.Head-worn adaptive display
WO2011151095A1 (en)*2010-06-012011-12-08Nokia Siemens Networks OyMethod of connecting a mobile station to a communications network
US9794220B2 (en)*2010-08-312017-10-17Comcast Cable Communications, LlcWireless extension of broadband access
US8935427B2 (en)*2010-09-232015-01-13Microsoft CorporationProviding virtual networks using multi-tenant relays
US9240928B2 (en)*2010-12-142016-01-19Telefonaktiebolaget L M Ericsson (Publ)Data plane for resilient network interconnect
US8972555B2 (en)*2011-03-042015-03-03Unisys CorporationIPsec connection to private networks
US8464335B1 (en)*2011-03-182013-06-11Zscaler, Inc.Distributed, multi-tenant virtual private network cloud systems and methods for mobile security and policy enforcement
US9300570B2 (en)*2012-05-222016-03-29Harris CorporationMulti-tunnel virtual private network
CN103024852B (en)*2012-11-272015-08-05华为技术有限公司The method and apparatus that business forwards
TWI506470B (en)*2013-10-292015-11-01Chunghwa Telecom Co Ltd The IP Routing Level Control System and Its Method on Multi - virtual Desktop Service
US9356912B2 (en)*2014-08-202016-05-31Alcatel LucentMethod for load-balancing IPsec traffic
CN104394122B (en)*2014-10-312017-06-27杭州安恒信息技术有限公司 A HTTP Service Firewall Based on Adaptive Proxy Mechanism
TWI577156B (en)*2014-12-262017-04-01 Network gateway device for data inspection, method and computer program products
CN106027354B (en)*2016-05-192019-03-15杭州迪普科技股份有限公司The reflow method and device of VPN client
US11909603B2 (en)*2017-12-012024-02-20Cisco Technology, Inc.Priority based resource management in a network functions virtualization (NFV) environment
US11211999B2 (en)*2017-12-282021-12-28Hughes Network Systems, LlcSatellite network virtual LAN usage
US11206318B2 (en)*2019-04-162021-12-21Abb Schweiz AgCloud interoperability
US11765146B2 (en)*2020-08-252023-09-19Cisco Technology, Inc.Partial packet encryption for encrypted tunnels
CN115694862A (en)*2021-07-312023-02-03华为技术有限公司 Access control method, client agent device, gateway device and related system
CN115314448B (en)*2022-08-112023-12-05北京百度网讯科技有限公司Method and device for accessing cloud network, electronic equipment and computer medium
US20250039090A1 (en)*2023-07-252025-01-30Charlotte Wi-Fi Inc., a North Carolina S Corp.Methods and systems for dynamic network interconnections

Citations (9)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US5787428A (en)*1994-02-161998-07-28British Telecommunications Public Limited CompanyControl of database access using security/user tag correspondence table
US6151628A (en)1997-07-032000-11-213Com CorporationNetwork access methods, including direct wireless to internet access
US6253321B1 (en)*1998-06-192001-06-26Ssh Communications Security Ltd.Method and arrangement for implementing IPSEC policy management using filter code
US6330562B1 (en)*1999-01-292001-12-11International Business Machines CorporationSystem and method for managing security objects
US6425085B2 (en)*1997-07-172002-07-23Canon Kabushiki KaishaTerminal device and method for requesting user certification from host computer
US6438612B1 (en)*1998-09-112002-08-20Ssh Communications Security, Ltd.Method and arrangement for secure tunneling of data between virtual routers
US6539483B1 (en)*2000-01-122003-03-25International Business Machines CorporationSystem and method for generation VPN network policies
US6587466B1 (en)*1999-05-272003-07-01International Business Machines CorporationSearch tree for policy based packet classification in communication networks
US6708218B1 (en)*2000-06-052004-03-16International Business Machines CorporationIpSec performance enhancement using a hardware-based parallel process

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US5787428A (en)*1994-02-161998-07-28British Telecommunications Public Limited CompanyControl of database access using security/user tag correspondence table
US6151628A (en)1997-07-032000-11-213Com CorporationNetwork access methods, including direct wireless to internet access
US6425085B2 (en)*1997-07-172002-07-23Canon Kabushiki KaishaTerminal device and method for requesting user certification from host computer
US6253321B1 (en)*1998-06-192001-06-26Ssh Communications Security Ltd.Method and arrangement for implementing IPSEC policy management using filter code
US6438612B1 (en)*1998-09-112002-08-20Ssh Communications Security, Ltd.Method and arrangement for secure tunneling of data between virtual routers
US6330562B1 (en)*1999-01-292001-12-11International Business Machines CorporationSystem and method for managing security objects
US6587466B1 (en)*1999-05-272003-07-01International Business Machines CorporationSearch tree for policy based packet classification in communication networks
US6539483B1 (en)*2000-01-122003-03-25International Business Machines CorporationSystem and method for generation VPN network policies
US6708218B1 (en)*2000-06-052004-03-16International Business Machines CorporationIpSec performance enhancement using a hardware-based parallel process

Non-Patent Citations (10)

* Cited by examiner, † Cited by third party
Title
IEEE Std 802.Q-1998, "IEEE Standards For Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks", IEEE Computer Society. Dec. 1998.
International Search Report for PCT Application Serial No. PCT/US03/33643, Dated May 11, 2004.
Internet Engineering Task Force (IETF), Requests For Comments (RFC) 2386, "A Framework For QoS-Based Routing In the Internet", Aug. 1998.
Internet Engineering Task Force (IETF), Requests For Comments (RFC) 2401, "Security Architecture For the Internet Protocol", Nov. 1998.
Internet Engineering Task Force (IETF), Requests For Comments (RFC) 2408, "Internet Security Association and Key Management Protocol (ISAKMP)", Nov. 1998.
Internet Engineering Task Force (IETF), Requests For Comments (RFC) 2409, "The Internet Key Exchange (IKE)", Nov. 1998.
Internet Engineering Task Force (IETF), Requests For Comments (RFC) 2764, "A Framework For IP Based Virtual Private Networks", Feb. 2000.
Internet Engineering Task Force (IETF), Requests For Comments (RFC) 2865, "Remote Authentication Dial In User Service (RADIUS)", Jun. 2000.
Internet Engineering Task Force (IETF), Requests For Comments (RFC) 2868, "RADIUS Attributes For Tunnel Protocol Support", Jun. 2000.
Internet Engineering Task Force (IETF), Requests For Comments (RFC) 3168, "The Addition of Explicit Congestion Notification (ECN) to IP", Sep. 2001.

Cited By (170)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
US20040219543A1 (en)*2001-04-022004-11-04Ralph WirtzMethod for specifically detecting, isolating and characterizing cells from body samples by transfecting nucleic acid constructs
US7768941B1 (en)*2002-08-282010-08-03Sprint Spectrum L.P.Method and system for initiating a virtual private network over a shared network on behalf of a wireless terminal
US8055895B2 (en)*2002-12-052011-11-08Broadcom CorporationData path security processing
US20040143734A1 (en)*2002-12-052004-07-22Buer Mark L.Data path security processing
US20090319775A1 (en)*2002-12-052009-12-24Broadcom CorporationData Path Security Processing
US20040139313A1 (en)*2002-12-052004-07-15Buer Mark L.Tagging mechanism for data path security processing
US7587587B2 (en)*2002-12-052009-09-08Broadcom CorporationData path security processing
US9015467B2 (en)2002-12-052015-04-21Broadcom CorporationTagging mechanism for data path security processing
US9125058B2 (en)2002-12-202015-09-01Sprint Spectrum L.P.Method and system for selecting VPN connections in response to wireless network identifiers
US7633909B1 (en)2002-12-202009-12-15Sprint Spectrum L.P.Method and system for providing multiple connections from a common wireless access point
US8077689B1 (en)2002-12-202011-12-13Sprint Spectrum L.P.Method and system for establishing VPN connections in response to wireless network identifiers
US7298702B1 (en)*2002-12-202007-11-20Sprint Spectrum L.P.Method and system for providing remote telephone service via a wireless local area network
US20040148430A1 (en)*2003-01-242004-07-29Narayanan Ram Gopal LakshmiEstablishing communication tunnels
US7779152B2 (en)*2003-01-242010-08-17Nokia CorporationEstablishing communication tunnels
US8918875B2 (en)2003-05-212014-12-23Foundry Networks, LlcSystem and method for ARP anti-spoofing security
US20090307773A1 (en)*2003-05-212009-12-10Foundry Networks, Inc.System and method for arp anti-spoofing security
US8533823B2 (en)2003-05-212013-09-10Foundry Networks, LlcSystem and method for source IP anti-spoofing security
US8006304B2 (en)2003-05-212011-08-23Foundry Networks, LlcSystem and method for ARP anti-spoofing security
US7979903B2 (en)2003-05-212011-07-12Foundry Networks, LlcSystem and method for source IP anti-spoofing security
US20090260083A1 (en)*2003-05-212009-10-15Foundry Networks, Inc.System and method for source ip anti-spoofing security
US7516487B1 (en)2003-05-212009-04-07Foundry Networks, Inc.System and method for source IP anti-spoofing security
US7523485B1 (en)2003-05-212009-04-21Foundry Networks, Inc.System and method for source IP anti-spoofing security
US7562390B1 (en)2003-05-212009-07-14Foundry Networks, Inc.System and method for ARP anti-spoofing security
US8245300B2 (en)2003-05-212012-08-14Foundry Networks LlcSystem and method for ARP anti-spoofing security
US20090254973A1 (en)*2003-05-212009-10-08Foundry Networks, Inc.System and method for source ip anti-spoofing security
US20040266420A1 (en)*2003-06-242004-12-30Nokia Inc.System and method for secure mobile connectivity
US8681800B2 (en)2003-08-012014-03-25Foundry Networks, LlcSystem, method and apparatus for providing multiple access modes in a data communications network
US7876772B2 (en)2003-08-012011-01-25Foundry Networks, LlcSystem, method and apparatus for providing multiple access modes in a data communications network
US20100325700A1 (en)*2003-08-012010-12-23Brocade Communications Systems, Inc.System, method and apparatus for providing multiple access modes in a data communications network
US8249096B2 (en)2003-08-012012-08-21Foundry Networks, LlcSystem, method and apparatus for providing multiple access modes in a data communications network
US8239929B2 (en)2003-09-042012-08-07Foundry Networks, LlcMultiple tiered network security system, method and apparatus using dynamic user policy assignment
US20100223654A1 (en)*2003-09-042010-09-02Brocade Communications Systems, Inc.Multiple tiered network security system, method and apparatus using dynamic user policy assignment
US20050055570A1 (en)*2003-09-042005-03-10Foundry Networks, Inc.Multiple tiered network security system, method and apparatus using dynamic user policy assignment
US7735114B2 (en)*2003-09-042010-06-08Foundry Networks, Inc.Multiple tiered network security system, method and apparatus using dynamic user policy assignment
US20100333191A1 (en)*2003-09-232010-12-30Foundry Networks, Inc.System and method for protecting cpu against remote access attacks
US8893256B2 (en)2003-09-232014-11-18Brocade Communications Systems, Inc.System and method for protecting CPU against remote access attacks
US7774833B1 (en)2003-09-232010-08-10Foundry Networks, Inc.System and method for protecting CPU against remote access attacks
US8528071B1 (en)2003-12-052013-09-03Foundry Networks, LlcSystem and method for flexible authentication in a data communications network
US20050180358A1 (en)*2004-02-132005-08-18Trapeze Networks, Inc.Station mobility between access points
US7221927B2 (en)*2004-02-132007-05-22Trapeze Networks, Inc.Station mobility between access points
US7716728B2 (en)*2004-02-162010-05-11Microsoft CorproationSecurity scopes and profiles
US20050182941A1 (en)*2004-02-162005-08-18Microsoft CorporationGeneric security claim processing model
US7640573B2 (en)2004-02-162009-12-29Microsoft CorporationGeneric security claim processing model
US20050182957A1 (en)*2004-02-162005-08-18Microsoft CorporationSecurity scopes and profiles
US20050193202A1 (en)*2004-02-262005-09-01Microsoft CorporationDigests to identify elements in a signature process
US7873831B2 (en)2004-02-262011-01-18Microsoft CorporationDigests to identify elements in a signature process
US20110078212A1 (en)*2004-02-262011-03-31Microsoft CorporationDigests to Identify Elements in a Signature Process
US8725776B2 (en)2004-02-262014-05-13Microsoft CorporationDigests to identify elements in a signature process
US20060130136A1 (en)*2004-12-012006-06-15Vijay DevarapalliMethod and system for providing wireless data network interworking
US8161278B2 (en)2005-03-152012-04-17Trapeze Networks, Inc.System and method for distributing keys in a wireless network
US8635444B2 (en)2005-03-152014-01-21Trapeze Networks, Inc.System and method for distributing keys in a wireless network
US20090274060A1 (en)*2005-10-132009-11-05Trapeze Networks, Inc.System and method for remote monitoring in a wireless network
US20070086378A1 (en)*2005-10-132007-04-19Matta Sudheer P CSystem and method for wireless network monitoring
US8270408B2 (en)2005-10-132012-09-18Trapeze Networks, Inc.Identity-based networking
US8457031B2 (en)2005-10-132013-06-04Trapeze Networks, Inc.System and method for reliable multicast
US7724703B2 (en)2005-10-132010-05-25Belden, Inc.System and method for wireless network monitoring
US8218449B2 (en)2005-10-132012-07-10Trapeze Networks, Inc.System and method for remote monitoring in a wireless network
US8514827B2 (en)2005-10-132013-08-20Trapeze Networks, Inc.System and network for wireless network monitoring
US8638762B2 (en)2005-10-132014-01-28Trapeze Networks, Inc.System and method for network integrity
US8116275B2 (en)2005-10-132012-02-14Trapeze Networks, Inc.System and network for wireless network monitoring
US8509106B2 (en)2005-12-282013-08-13Foundry Networks, LlcTechniques for preventing attacks on computer systems and networks
US20100077447A1 (en)*2005-12-282010-03-25Foundry Networks, Inc.Authentication techniques
US8122485B2 (en)2005-12-282012-02-21Foundry Networks, LlcAuthentication techniques
US8522311B2 (en)2005-12-282013-08-27Foundry Networks, LlcAuthentication techniques
US7831996B2 (en)2005-12-282010-11-09Foundry Networks, LlcAuthentication techniques
US20110113490A1 (en)*2005-12-282011-05-12Foundry Networks, LlcTechniques for preventing attacks on computer systems and networks
US20110107399A1 (en)*2005-12-282011-05-05Foundry Networks, LlcAuthentication techniques
US8964747B2 (en)2006-05-032015-02-24Trapeze Networks, Inc.System and method for restricting network access using forwarding databases
US8966018B2 (en)2006-05-192015-02-24Trapeze Networks, Inc.Automated network device configuration and network deployment
US8064939B2 (en)2006-06-012011-11-22Juniper Networks, Inc.Wireless load balancing
US20090323531A1 (en)*2006-06-012009-12-31Trapeze Networks, Inc.Wireless load balancing
US8320949B2 (en)2006-06-012012-11-27Juniper Networks, Inc.Wireless load balancing across bands
US10638304B2 (en)2006-06-092020-04-28Trapeze Networks, Inc.Sharing data between wireless switches system and method
US11627461B2 (en)2006-06-092023-04-11Juniper Networks, Inc.AP-local dynamic switching
US7912982B2 (en)2006-06-092011-03-22Trapeze Networks, Inc.Wireless routing selection system and method
US9838942B2 (en)2006-06-092017-12-05Trapeze Networks, Inc.AP-local dynamic switching
US12063501B2 (en)2006-06-092024-08-13Juniper Networks, Inc.AP-local dynamic switching
US10834585B2 (en)2006-06-092020-11-10Trapeze Networks, Inc.Untethered access point mesh system and method
US8818322B2 (en)2006-06-092014-08-26Trapeze Networks, Inc.Untethered access point mesh system and method
US11432147B2 (en)2006-06-092022-08-30Trapeze Networks, Inc.Untethered access point mesh system and method
US9258702B2 (en)2006-06-092016-02-09Trapeze Networks, Inc.AP-local dynamic switching
US10327202B2 (en)2006-06-092019-06-18Trapeze Networks, Inc.AP-local dynamic switching
US11758398B2 (en)2006-06-092023-09-12Juniper Networks, Inc.Untethered access point mesh system and method
US10798650B2 (en)2006-06-092020-10-06Trapeze Networks, Inc.AP-local dynamic switching
US9191799B2 (en)2006-06-092015-11-17Juniper Networks, Inc.Sharing data between wireless switches system and method
US20080072226A1 (en)*2006-06-222008-03-20American Express Travel Related Services Co., Inc. A New York CorporationSystems, Methods, and Computer Program Products for Transaction Based Load Balancing
US8413160B2 (en)*2006-06-222013-04-02American Express Travel Related Services Company, Inc.Systems, methods, and computer program products for transaction based load balancing
US7724704B2 (en)2006-07-172010-05-25Beiden Inc.Wireless VLAN system and method
US8340110B2 (en)2006-09-152012-12-25Trapeze Networks, Inc.Quality of service provisioning for wireless networks
US8446890B2 (en)2006-10-162013-05-21Juniper Networks, Inc.Load balancing
US8072952B2 (en)2006-10-162011-12-06Juniper Networks, Inc.Load balancing
US20080151844A1 (en)*2006-12-202008-06-26Manish TiwariWireless access point authentication system and method
US7873061B2 (en)2006-12-282011-01-18Trapeze Networks, Inc.System and method for aggregation and queuing in a wireless network
US7865713B2 (en)2006-12-282011-01-04Trapeze Networks, Inc.Application-aware wireless network system and method
US20080159319A1 (en)*2006-12-282008-07-03Matthew Stuart GastSystem and method for aggregation and queuing in a wireless network
US8670383B2 (en)2006-12-282014-03-11Trapeze Networks, Inc.System and method for aggregation and queuing in a wireless network
US8230493B2 (en)2007-05-022012-07-24Cisco Technology, Inc.Allowing differential processing of encrypted tunnels
US20080276085A1 (en)*2007-05-022008-11-06Cisco Technology, Inc.Allowing differential processing of encrypted tunnels
US20130033986A1 (en)*2007-07-132013-02-07Apple Inc.Quality of Service Control in Multiple Hop Wireless Communication Environments
US20090016258A1 (en)*2007-07-132009-01-15Nortel Networks LimitedQuality of service control in multiple hop wireless communication environments
US9838944B2 (en)*2007-07-132017-12-05Apple Inc.Quality of service control in multiple hop wireless communication environments
US20090016259A1 (en)*2007-07-132009-01-15Nortel Networks LimitedQuality of service control in multiple hop wireless communication environments
US9351200B2 (en)*2007-07-132016-05-24Apple Inc.Quality of service control in multiple hop wireless communication environments
US8305897B2 (en)*2007-07-132012-11-06Apple Inc.Quality of service control in multiple hop wireless communication environments
US8958300B2 (en)*2007-07-132015-02-17Apple Inc.Quality of service control in multiple hop wireless communication environments
US20160255568A1 (en)*2007-07-132016-09-01Apple Inc.Quality of Service Control in Multiple Hop Wireless Communication Environments
US9629061B2 (en)*2007-07-132017-04-18Apple Inc.Quality of service control in multiple hop wireless communication environments
US8000243B2 (en)*2007-07-132011-08-16Nortel Networks LimitedQuality of service control in multiple hop wireless communication environments
US20170208530A1 (en)*2007-07-132017-07-20Apple Inc.Quality of Service Control in Multiple Hop Wireless Communication Environments
US20150163697A1 (en)*2007-07-132015-06-11Apple Inc.Quality of service control in multiple hop wireless communication environments
US8902904B2 (en)2007-09-072014-12-02Trapeze Networks, Inc.Network assignment based on priority
US8509128B2 (en)2007-09-182013-08-13Trapeze Networks, Inc.High level instruction convergence function
US8238942B2 (en)2007-11-212012-08-07Trapeze Networks, Inc.Wireless station location detection
US8150357B2 (en)2008-03-282012-04-03Trapeze Networks, Inc.Smoothing filter for irregular update intervals
US8474023B2 (en)2008-05-302013-06-25Juniper Networks, Inc.Proactive credential caching
US8978105B2 (en)2008-07-252015-03-10Trapeze Networks, Inc.Affirming network relationships and resource access via related networks
US8238298B2 (en)2008-08-292012-08-07Trapeze Networks, Inc.Picking an optimal channel for an access point in a wireless network
US20100118882A1 (en)*2008-11-102010-05-13H3C Technologies Co., Ltd.Method, Apparatus, and System For Packet Transmission
US8861547B2 (en)2008-11-102014-10-14Hangzhou H3C Technologies Co., Ltd.Method, apparatus, and system for packet transmission
US20100246426A1 (en)*2009-03-252010-09-30Christian BergeMethod allowing a monitoring system of the network of an operator to classify ip flows
US8929229B2 (en)*2009-03-252015-01-06Infovista SaMethod allowing a monitoring system of the network of an operator to classify IP flows
US20110023125A1 (en)*2009-07-242011-01-27Yongbum KimMethod and system for integrating remote devices into a domestic vlan
US20140173757A1 (en)*2009-07-242014-06-19Broadcom CorporationMethod And System For Integrating Remote Devices Into A Domestic VLAN
US8707456B2 (en)*2009-07-242014-04-22Broadcom CorporationMethod and system for integrating remote devices into a domestic VLAN
WO2011120381A1 (en)*2010-04-012011-10-06中兴通讯股份有限公司Quality of service processing method and device for virtual private network traffic
US8542836B2 (en)2010-12-012013-09-24Juniper Networks, Inc.System, apparatus and methods for highly scalable continuous roaming within a wireless network
US9609083B2 (en)2011-02-102017-03-28Varmour Networks, Inc.Distributed service processing of network gateways using virtual machines
US8612744B2 (en)2011-02-102013-12-17Varmour Networks, Inc.Distributed firewall architecture using virtual machines
US9191327B2 (en)2011-02-102015-11-17Varmour Networks, Inc.Distributed service processing of network gateways using virtual machines
US8813169B2 (en)2011-11-032014-08-19Varmour Networks, Inc.Virtual security boundary for physical or virtual network devices
US9529995B2 (en)2011-11-082016-12-27Varmour Networks, Inc.Auto discovery of virtual machines
US10091238B2 (en)2014-02-112018-10-02Varmour Networks, Inc.Deception using distributed threat detection
US10178070B2 (en)2015-03-132019-01-08Varmour Networks, Inc.Methods and systems for providing security to distributed microservices
US10158672B2 (en)2015-03-132018-12-18Varmour Networks, Inc.Context aware microsegmentation
US9467476B1 (en)2015-03-132016-10-11Varmour Networks, Inc.Context aware microsegmentation
US9438634B1 (en)2015-03-132016-09-06Varmour Networks, Inc.Microsegmented networks that implement vulnerability scanning
US10110636B2 (en)2015-03-132018-10-23Varmour Networks, Inc.Segmented networks that implement scanning
US10193929B2 (en)2015-03-132019-01-29Varmour Networks, Inc.Methods and systems for improving analytics in distributed networks
US9609026B2 (en)2015-03-132017-03-28Varmour Networks, Inc.Segmented networks that implement scanning
US9621595B2 (en)2015-03-302017-04-11Varmour Networks, Inc.Conditional declarative policies
US10009381B2 (en)2015-03-302018-06-26Varmour Networks, Inc.System and method for threat-driven security policy controls
US9380027B1 (en)2015-03-302016-06-28Varmour Networks, Inc.Conditional declarative policies
US9294442B1 (en)2015-03-302016-03-22Varmour Networks, Inc.System and method for threat-driven security policy controls
US10333986B2 (en)2015-03-302019-06-25Varmour Networks, Inc.Conditional declarative policies
US10084753B2 (en)2015-04-022018-09-25Varmour Networks, Inc.Delivering security functions to distributed networks
US9973472B2 (en)2015-04-022018-05-15Varmour Networks, Inc.Methods and systems for orchestrating physical and virtual switches to enforce security boundaries
US9525697B2 (en)2015-04-022016-12-20Varmour Networks, Inc.Delivering security functions to distributed networks
US9483317B1 (en)2015-08-172016-11-01Varmour Networks, Inc.Using multiple central processing unit cores for packet forwarding in virtualized networks
US10191758B2 (en)2015-12-092019-01-29Varmour Networks, Inc.Directing data traffic between intra-server virtual machines
US9680852B1 (en)2016-01-292017-06-13Varmour Networks, Inc.Recursive multi-layer examination for computer network security remediation
US9762599B2 (en)2016-01-292017-09-12Varmour Networks, Inc.Multi-node affinity-based examination for computer network security remediation
US10382467B2 (en)2016-01-292019-08-13Varmour Networks, Inc.Recursive multi-layer examination for computer network security remediation
US10009317B2 (en)2016-03-242018-06-26Varmour Networks, Inc.Security policy generation using container metadata
US9521115B1 (en)2016-03-242016-12-13Varmour Networks, Inc.Security policy generation using container metadata
US10264025B2 (en)2016-06-242019-04-16Varmour Networks, Inc.Security policy generation for virtualization, bare-metal server, and cloud computing environments
US10009383B2 (en)2016-06-242018-06-26Varmour Networks, Inc.Data network microsegmentation
US9560081B1 (en)2016-06-242017-01-31Varmour Networks, Inc.Data network microsegmentation
US9787639B1 (en)2016-06-242017-10-10Varmour Networks, Inc.Granular segmentation using events
US10755334B2 (en)2016-06-302020-08-25Varmour Networks, Inc.Systems and methods for continually scoring and segmenting open opportunities using client data and product predictors
US11290493B2 (en)2019-05-312022-03-29Varmour Networks, Inc.Template-driven intent-based security
US11575563B2 (en)2019-05-312023-02-07Varmour Networks, Inc.Cloud security management
US11711374B2 (en)2019-05-312023-07-25Varmour Networks, Inc.Systems and methods for understanding identity and organizational access to applications within an enterprise environment
US11310284B2 (en)2019-05-312022-04-19Varmour Networks, Inc.Validation of cloud security policies
US11863580B2 (en)2019-05-312024-01-02Varmour Networks, Inc.Modeling application dependencies to identify operational risk
US11290494B2 (en)2019-05-312022-03-29Varmour Networks, Inc.Reliability prediction for cloud security policies
US11818152B2 (en)2020-12-232023-11-14Varmour Networks, Inc.Modeling topic-based message-oriented middleware within a security system
US11876817B2 (en)2020-12-232024-01-16Varmour Networks, Inc.Modeling queue-based message-oriented middleware relationships in a security system
US11777978B2 (en)2021-01-292023-10-03Varmour Networks, Inc.Methods and systems for accurately assessing application access risk
US12050693B2 (en)2021-01-292024-07-30Varmour Networks, Inc.System and method for attributing user behavior from multiple technical telemetry sources
US11734316B2 (en)2021-07-082023-08-22Varmour Networks, Inc.Relationship-based search in a computing environment

Also Published As

Publication numberPublication date
AU2003287191A1 (en)2004-05-13
AU2003287191A8 (en)2004-05-13
WO2004038559A3 (en)2004-07-01
WO2004038559A2 (en)2004-05-06
TW200420071A (en)2004-10-01
US20040083295A1 (en)2004-04-29

Similar Documents

PublicationPublication DateTitle
US7062566B2 (en)System and method for using virtual local area network tags with a virtual private network
US7389534B1 (en)Method and apparatus for establishing virtual private network tunnels in a wireless network
CA3047654C (en)Vxlan implementation method, network device, and communications system
EP1878169B1 (en)Operator shop selection in broadband access related application
US6915345B1 (en)AAA broker specification and protocol
EP3267653B1 (en)Techniques for authenticating a subscriber for an access network using dhcp
US7478427B2 (en)Method and apparatus for providing adaptive VPN to enable different security levels in virtual private networks (VPNs)
JP4105722B2 (en) Communication device
CN103747499B (en) Method and apparatus for common control protocol for wired and wireless nodes
US7143435B1 (en)Method and apparatus for registering auto-configured network addresses based on connection authentication
US20060059551A1 (en)Dynamic firewall capabilities for wireless access gateways
US7562384B1 (en)Method and apparatus for providing a secure name resolution service for network devices
CN1319337C (en)Authentication method based on Ethernet authentication system
CN110650075A (en)Group policy implementation method, network device and group policy implementation system based on VXLAN
US20080155678A1 (en)Computer system for controlling communication to/from terminal
Bahl et al.Secure wireless internet access in public places
EP1777872A1 (en)A METHOD REALIZING AUTHORIZATION ACCOUNTING OF MULTIPLE ADDRESSES USER IN THE IPv6 NETWORK
VenturaDiameter: Next generations AAA protocol
US20090106449A1 (en)Method and apparatus for providing dynamic route advertisement
CiscoIntranet and Extranet VPN Business Scenarios
Carpenter et al.Connecting IPv6 Routing Domains Over the IPv4 Internet
López et al.Implementing RADIUS and diameter AAA systems in IPv6-based scenarios
Hills et al.IP virtual private networks
Xie et al.A generic way for wireline and wireless access authentication
Veltri et al.DHCP-based authentication for mobile users/terminals in a wireless access network

Legal Events

DateCodeTitleDescription
ASAssignment

Owner name:3COM CORPORATION, CALIFORNIA

Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:AMARA, SATISH;WARRIER, CHANDRA;KUNG, CHING;REEL/FRAME:013424/0404

Effective date:20021022

STCFInformation on status: patent grant

Free format text:PATENTED CASE

FPAYFee payment

Year of fee payment:4

ASAssignment

Owner name:HEWLETT-PACKARD COMPANY, CALIFORNIA

Free format text:MERGER;ASSIGNOR:3COM CORPORATION;REEL/FRAME:024630/0820

Effective date:20100428

ASAssignment

Owner name:HEWLETT-PACKARD COMPANY, CALIFORNIA

Free format text:CORRECTIVE ASSIGNMENT TO CORRECT THE SEE ATTACHED;ASSIGNOR:3COM CORPORATION;REEL/FRAME:025039/0844

Effective date:20100428

ASAssignment

Owner name:HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P., TEXAS

Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD COMPANY;REEL/FRAME:027329/0044

Effective date:20030131

ASAssignment

Owner name:HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P., TEXAS

Free format text:CORRECTIVE ASSIGNMENT PREVIUOSLY RECORDED ON REEL 027329 FRAME 0001 AND 0044;ASSIGNOR:HEWLETT-PACKARD COMPANY;REEL/FRAME:028911/0846

Effective date:20111010

FPAYFee payment

Year of fee payment:8

ASAssignment

Owner name:HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP, TEXAS

Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.;REEL/FRAME:037079/0001

Effective date:20151027

MAFPMaintenance fee payment

Free format text:PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553)

Year of fee payment:12

ASAssignment

Owner name:VALTRUS INNOVATIONS LIMITED, IRELAND

Free format text:ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP;HEWLETT PACKARD ENTERPRISE COMPANY;REEL/FRAME:055360/0424

Effective date:20210121
[8]ページ先頭
©2009-2025 Movatter.jp